Hi, This was a thread that was discussed a few days ago. See the following post from Joe where he explains some things in addition to my own post. http://www.mail-archive.com/[email protected]/msg29621.html
HINTS: * nested groups -> is that user a member of a non-default-protected-group and where that non-default-protected-group IS a member of a protected group. * were those users somehow members of protected groups in the past? If they were and now are not the admincount will not be reset to 0 Is this an answer to your issue? #JORGE# -----Original Message----- From: [EMAIL PROTECTED] To: [email protected] Sent: 6/10/2005 8:35 PM Subject: [ActiveDir] troubleshooting object permission inheritance Greetings -- Using adfind to identify users who have the AdminCount attribute set to 1. Looking at the output there are users who are expected to have that set seeing that they are Domain Admins BUT i also see a handful of users who are not members of a protected group. Using admod to set AdminCount=0 for those users temporarily sets it until the PDC mechanism runs which compares the ACLs and resets it. If the user isn't in a protected group then what is causing this behavior? And i guess once i know that i can set AdminCount=0 for them, permanently? tia, john List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
